"Cybersecurity is a shared responsibility, and it boils down to this: in cybersecurity the more systems we secure, the more secure we all are" ~ Jeh Johnson
A recent study on security culture by Dr Adele da Veiga from UNISA indicated a clear difference between the stick and carrot in the online security culture of South African businesses. Where most business training in 2017 focus on motivation and the development and leadership styles that aim to inspire employees for pro active management, it does not seem to be the case with online security.
When asked to answer yes; no or don't know to two questions "My organisation has a disciplinary process in place for non-compliance with its information security policies." and "My organisation has a rewards process (recognition, part of performance appraisals, rewards, etc.) in place for compliance with its information security policies." a very clear lack of focus on the rewards and recognition came to light.
To the first question on disciplinary process, an expected majority of 79% percent indicated their companies have some procedure in place to enforce compliance with online security. The total opposite was discovered when it came to recognition where only 13% of employees indicated they have some reward system in place to motivate them to ensure their day to day online behaviour is safe and secure.
With the fast pace of technology and development online today it is important to understand that policies usually develop after issues and security concerns are discovered. By being pro-active and provide a carrot for employees to police their behaviour, you would be able to create opportunities for them to highlight security concerns with new online tools that are popping up daily, highlighting concerns before they happen.